diff --git a/packages/@aws-cdk/aws-lambda-event-sources/lib/kafka.ts b/packages/@aws-cdk/aws-lambda-event-sources/lib/kafka.ts
index 09c31d718226a..2572e6a2390c4 100644
--- a/packages/@aws-cdk/aws-lambda-event-sources/lib/kafka.ts
+++ b/packages/@aws-cdk/aws-lambda-event-sources/lib/kafka.ts
@@ -29,6 +29,20 @@ export interface ManagedKafkaEventSourceProps extends KafkaEventSourceProps {
   readonly clusterArn: string
 }
 
+/**
+ * The authentication method to use with SelfManagedKafkaEventSource
+ */
+export enum AuthenticationMethod {
+  /**
+   * SASL_SCRAM_512_AUTH authentication method for your Kafka cluster
+   */
+  SASL_SCRAM_512_AUTH = 'SASL_SCRAM_512_AUTH',
+  /**
+   * SASL_SCRAM_256_AUTH authentication method for your Kafka cluster
+   */
+  SASL_SCRAM_256_AUTH = 'SASL_SCRAM_512_AUTH',
+}
+
 /**
  * Properties for a self managed Kafka cluster event source.
  * If your Kafka cluster is only reachable via VPC make sure to configure it.
@@ -66,7 +80,7 @@ export interface SelfManagedKafkaEventSourceProps extends KafkaEventSourceProps
    *
    * @default - SASL_SCRAM_512_AUTH
    */
-  readonly authenticationMethod?: 'SASL_SCRAM_512_AUTH' | 'SASL_SCRAM_256_AUTH'
+  readonly authenticationMethod?: AuthenticationMethod
 }
 
 /**
@@ -123,10 +137,14 @@ export class SelfManagedKafkaEventSource extends StreamEventSource {
 
   public bind(target: lambda.IFunction) {
     let authenticationMethod;
-    if (this.innerProps.authenticationMethod == undefined || this.innerProps.authenticationMethod == 'SASL_SCRAM_512_AUTH') {
-      authenticationMethod = lambda.SourceAccessConfigurationType.SASL_SCRAM_512_AUTH;
-    } else {
-      authenticationMethod = lambda.SourceAccessConfigurationType.SASL_SCRAM_256_AUTH;
+    switch (this.innerProps.authenticationMethod) {
+      case AuthenticationMethod.SASL_SCRAM_256_AUTH:
+        authenticationMethod = lambda.SourceAccessConfigurationType.SASL_SCRAM_256_AUTH;
+        break;
+      case AuthenticationMethod.SASL_SCRAM_512_AUTH:
+      default:
+        authenticationMethod = lambda.SourceAccessConfigurationType.SASL_SCRAM_512_AUTH;
+        break;
     }
     let sourceAccessConfigurations = [{ type: authenticationMethod, uri: this.innerProps.secret.secretArn }];
     if (this.innerProps.vpcSubnets !== undefined && this.innerProps.securityGroup !== undefined) {
diff --git a/packages/@aws-cdk/aws-lambda-event-sources/test/test.kafka.ts b/packages/@aws-cdk/aws-lambda-event-sources/test/test.kafka.ts
index db5fc49aa971d..f3e75a9f455e8 100644
--- a/packages/@aws-cdk/aws-lambda-event-sources/test/test.kafka.ts
+++ b/packages/@aws-cdk/aws-lambda-event-sources/test/test.kafka.ts
@@ -1,10 +1,11 @@
-import { expect, haveResource } from '@aws-cdk/assert';
+import { arrayWith, expect, haveResource } from '@aws-cdk/assert';
 import { SecurityGroup, SubnetType, Vpc } from '@aws-cdk/aws-ec2';
 import * as lambda from '@aws-cdk/aws-lambda';
 import { Secret } from '@aws-cdk/aws-secretsmanager';
 import * as cdk from '@aws-cdk/core';
 import { Test } from 'nodeunit';
 import * as sources from '../lib';
+import { AuthenticationMethod } from '../lib';
 import { TestFunction } from './test-function';
 
 export = {
@@ -215,10 +216,10 @@ export = {
         vpc: vpc,
         vpcSubnets: { subnetType: SubnetType.PRIVATE },
         securityGroup: sg,
-        authenticationMethod: 'SASL_SCRAM_256_AUTH',
+        authenticationMethod: AuthenticationMethod.SASL_SCRAM_256_AUTH,
       }));
 
-    expect(stack).to(haveResourceLike('AWS::Lambda::EventSourceMapping', {
+    expect(stack).to(haveResource('AWS::Lambda::EventSourceMapping', {
       SourceAccessConfigurations: arrayWith(
         {
           Type: 'SASL_SCRAM_256_AUTH',